Univention Corporate Server Extended domain services documentation 2 Table of Contents 1. Integration of Ubuntu clients into a UCS domain ...................................................................... 4 1.1. Integration into the LDAP directory and the SSL certificate authority .................................. 4 1.2. Configuration of the System Security Services Daemon (SSSD) ......................................... 5 1.3. Configuring user logins .............................................................................................. 7 1.4. Kerberos integration .................................................................................................. 8 1.5. Limitations of the Ubuntu domain integration ................................................................ 9 1.6. Additional references ................................................................................................. 9 2. Integration of Linux/Unix systems into a UCS domain ............................................................. 10 2.1. Managing the systems in the Univention Management Console ........................................ 10 2.2. Configuration of the name resolution .......................................................................... 10 2.3. Configuration of the time server ................................................................................. 10 2.4. Access to user and group information of the UCS domain ............................................... 10 2.5. Integrating into Kerberos .......................................................................................... 11 2.6. Accessing a UCS print server .................................................................................... 12 3 Integration into the LDAP directory and the SSL certificate au- thority Chapter 1. Integration of Ubuntu clients into a UCS domain Univention Corporate Server allows the integration of Ubuntu clients. Initially a standard Ubuntu installation needs to be performed. The following section describe the configuration changes, which need to be made to integrate the Ubuntu client into the UCS domain. After successful integration users can authenticate on the Ubuntu clients with their standard UCS domain password and user name. This configuration has been tested with Ubuntu 12.04 LTS and 12.10 as well as Kubuntu 12.04 LTS and 12.10. 1.1. Integration into the LDAP directory and the SSL cer- Fe e d b a ck tificate authority After Ubuntu has been installed, some of it's configuration files need to be modified. To simplify the setup, the default configuration of the UCS master domain controller should be copied to the Ubuntu system, for example: # Become root sudo bash # Set the IP address of the UCS DC Master, 192.168.0.3 in this example export MASTER_IP=192.168.0.3 mkdir /etc/univention ssh root@${MASTER_IP} ucr shell | grep -v ^hostname= >/etc/univention/ucr_master echo "master_ip=${MASTER_IP}" >>/etc/univention/ucr_master . /etc/univention/ucr_master echo "${MASTER_IP} ${ldap_master}" >>/etc/hosts # Exit sudo bash exit In the default configuration of UCS only authenticated users can search in the LDAP directory. As such, the Ubuntu client needs an account in the UCS domain to gain read access to the LDAP directory: # Become root sudo bash # Set some environment variables . /etc/univention/ucr_master # Download the SSL certificate mkdir -p /etc/univention/ssl/ucsCA/ wget -O /etc/univention/ssl/ucsCA/CAcert.pem \ http://${ldap_master}/ucs-root-ca.crt # Create an account and save the password password="$(tr -dc A-Za-z0-9_ </dev/urandom | head -c8)" if [ "$version_version" = 3.0 ] && [ "$version_patchlevel" -lt 2 ] then 4 Configuration of the System Security Services Daemon (SSSD) ssh root@${ldap_master} udm computers/managedclient create \ --position "cn=computers,${ldap_base}" \ --set name=$(hostname) --set password="${password}" else ssh root@${ldap_master} udm computers/ubuntu create \ --position "cn=computers,${ldap_base}" \ --set name=$(hostname) --set password="${password}" \ --set operatingSystem="$(lsb_release -is)" \ --set operatingSystemVersion="$(lsb_release -rs)" fi echo "${password}" > /etc/ldap.secret # Create ldap.conf cat >/etc/ldap/ldap.conf <<__EOF__ TLS_CACERT /etc/univention/ssl/ucsCA/CAcert.pem URI ldap://$ldap_master:7389 BASE $ldap_base __EOF__ # Exit sudo bash exit 1.2. Configuration of the System Security Services Dae- Fe e d b a ck mon (SSSD) SSSD provides a set of daemons to manage access to remote directories and authentication mechanisms. # Become root sudo bash # Set some environment variables . /etc/univention/ucr_master # Install SSSD based configuration DEBIAN_FRONTEND=noninteractive apt-get -y install sssd # Create sssd.conf cat >/etc/sssd/sssd.conf <<__EOF__ [sssd] config_file_version = 2 reconnection_retries = 3 sbus_timeout = 30 services = nss, pam, sudo domains = $kerberos_realm [nss] reconnection_retries = 3 [pam] reconnection_retries = 3 [domain/$kerberos_realm] auth_provider = krb5 krb5_kdcip = ${master_ip} 5 Configuration of the System Security Services Daemon (SSSD) krb5_realm = ${kerberos_realm} krb5_server = ${ldap_master} krb5_kpasswd = ${ldap_master} id_provider = ldap ldap_uri = ldap://${ldap_master}:7389 ldap_search_base = ${ldap_base} ldap_tls_reqcert = never ldap_tls_cacert = /etc/univention/ssl/ucsCA/CAcert.pem cache_credentials = true enumerate = true ldap_default_bind_dn = cn=$(hostname),cn=computers,${ldap_base} ldap_default_authtok_type = password ldap_default_authtok = $(cat /etc/ldap.secret) __EOF__ chmod 600 /etc/sssd/sssd.conf # Install auth-client-config DEBIAN_FRONTEND=noninteractive apt-get -y install auth-client-config # Create an auth config profile for sssd cat >/etc/auth-client-config/profile.d/sss <<__EOF__ [sss] nss_passwd= passwd: compat sss nss_group= group: compat sss nss_shadow= shadow: compat nss_netgroup= netgroup: nis pam_auth= auth [success=3 default=ignore] pam_unix.so nullok_secure \ try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth [success=1 default=ignore] pam_sss.so use_first_pass auth requisite pam_deny.so auth required pam_permit.so pam_account= account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so pam_password= password sufficient pam_unix.so obscure sha512 password sufficient pam_sss.so use_authtok password required pam_deny.so pam_session= session required pam_mkhomedir.so skel=/etc/skel/ umask=0077 session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_sss.so session required pam_unix.so __EOF__ 6 Configuring user logins auth-client-config -n -a -p sss # Start sssd service sssd start # Exit sudo bash exit The commands getent passwd and getent group should now also display all users and groups of the UCS domain. 1.3. Configuring user logins Fe e d b a ck The home directory of a user should be created automatically during login: # Become root sudo bash cat >/usr/share/pam-configs/ucs_mkhomedir <<__EOF__ Name: activate mkhomedir Default: yes Priority: 900 Session-Type: Additional Session: required pam_mkhomedir.so umask=0022 skel=/etc/skel __EOF__ DEBIAN_FRONTEND=noninteractive pam-auth-update exit During login users should also be added to some system groups: # Become root sudo bash echo '*;*;*;Al0000-2400;audio,cdrom,dialout,floppy,plugdev,adm' \ >>/etc/security/group.conf cat >>/usr/share/pam-configs/local_groups <<__EOF__ Name: activate /etc/security/group.conf Default: yes Priority: 900 Auth-Type: Primary Auth: required pam_group.so use_first_pass __EOF__ DEBIAN_FRONTEND=noninteractive pam-auth-update exit By default the Ubuntu login manager only displays a list of local users during login. After adding the following lines an arbitrary user name can be used: # Become root 7 Kerberos integration sudo bash # Add a field for a user name echo "greeter-show-manual-login=true" >>/etc/lightdm/lightdm.conf # Optional: Disable the user selection at the login screen echo "greeter-hide-users=true" >>/etc/lightdm/lightdm.conf exit Kubuntu 12.10 uses AccountService, a D-Bus interface for use account management, which ignores the / etc/lightdm.conf file. Since there is no config file for AccountService the login theme needs to be changed to classic under System Settings -> Login Screen (LightDM). With these settings the login for domain members should be possible after a restart of LightDM or a reboot. 1.4. Kerberos integration Fe e d b a ck Every UCS domain provides a Kerberos domain. Since Kerberos relies on DNS, the Ubuntu client should use a UCS domain controller as its DNS server. The following steps provide an example configuration for Kerberos: # Become root sudo bash # Set some environment variables . /etc/univention/ucr_master # Install required packages DEBIAN_FRONTEND=noninteractive apt-get install -y heimdal-clients # Default krb5.conf cat >/etc/krb5.conf <<__EOF__ [libdefaults] default_realm = $kerberos_realm kdc_timesync = 1 ccache_type = 4 forwardable = true proxiable = true [realms] $kerberos_realm = { kdc = $master_ip $ldap_master admin_server = $master_ip $ldap_master } __EOF__ # Stop and disable the avahi daemon service avahi-daemon stop sed -i 's|start on (|start on (never and |' /etc/init/avahi-daemon.conf # Synchronize the time with the UCS system ntpdate $ldap_master # Test Kerberos kinit Administrator 8 Limitations of the Ubuntu domain integration # Requires domain password krsh
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages12 Page
-
File Size-